All right.
The lights are bright.
Good morning, everybody. I'd like to welcome you all to day one of Citi's Global TMT Conference. I'm Fatima Boolani. I jointly head up the software research team here, and I am absolutely delighted to be able to host the CEO of Palo Alto Networks, Nikesh Arora. Thank you so much for being here.
Thank you for having me.
I'm very excited to dig right into the discussion here. I wanna start off with a very stratospheric level question for you. Six, six and a half years ago, you joined Palo Alto, and you came into the industry proper with a fresh set of eyes and a clean sheet of paper. What are the biggest attitudinal shifts and changes you've witnessed in the market from a behavior, procurement, CIO, pain point standpoint? And, you know, the flip side of that, what has remained stubbornly unchanged?
Good morning, Fatima. Lovely to see you as well.
It's getting heavy.
I understand that. Like, you know, you chose the best ballroom in New York. It's the best lighting, so-
Always.
We can get started. Like in the last five or six years, if you've looked around, because of the scale and the, let's say, impact of cyberattacks, cyber has gone from being something you did to something that boards and CEOs had to pay attention to. If you look at the last three months, you've seen a bunch of healthcare attacks, you've seen a bunch of attacks across industry, and these end up being substantive. You have to report them to the SEC, so it's, and if you do, we all do enterprise risk management on our boards, and suddenly, cyber has made it to the top right category in terms of something that is important. So there's more focus on it across the board.
One, two. I think people have come to the conclusion that the old approaches of having 30 or 40 vendors in infrastructure and hoping you're safe isn't working because all these breaches are happening despite deploying that strategy. So there's a lot of people saying something has to change. And what's fascinating is, the moment there's a breach, the remediation is to rip out all the gunk and replace it with solid cybersecurity vendors and platforms. So the question is, why doesn't that happen before? Why do we have to wait for some sort of forcing function to happen? And you're seeing more and more of that as we go through technology cycles. The amount of time it used to take to fix a security problem used to be four to seven days. Now people are demanding hours.
So there's an attitudinal shift in the way CIOs, CISOs see this, where they think they need to get ahead of this problem, they need to solve it faster. And it's kind of interesting. You see one breach in healthcare, every other healthcare CIO, CISO, wants to pick up the phone and talk to and say, "How do we fix it? What do I need to do to get ahead of this?" So I think you're seeing more growing recognition. That's kind of happening. I think in terms of what is stubbornly still staying the same, there's a faction of believers who thinks the right answer is still keep it going the way you used to do it, and solve it one point solution at a time, which is what we fondly call the best of breed strategy.
That's still prevalent in some cases, and people are still doing that, but I think it's a matter like, you know, it took the Salesforce, the Workday, the ServiceNow of the world, 10 or 15 years to replace the stitching of multiple tools and moving into platforms, and I think you're gonna see a similar cycle in the cybersecurity space.
I'm gonna ask you the obligatory macro question-
Obligatory.
And I'm gonna have to keep it, because you have a really interesting vantage point in terms of the types of pernicious problems and very real problems that you're solving for a lot of organizations across broad, broad swaths of the economy, right? So you have CIO, CTO, CISOs coming through your offices, you know, quarterly, you know, business reviews with your customers. So again, just from your vantage point, you know, the macroeconomic conditions have both been favorable to you from the consolidation argument standpoint, but also, it's tough. Budgets are tough to come by. You know, we've all become armchair macroeconomists in the course of the last twelve to eighteen months, right?
From your standpoint, you know, how is macro weighing or maybe even helping some of your customer dialogues in terms of budgetary allocation and budgetary growth?
I see, this might be slightly orthogonal from what you're hearing from other people. I haven't met a CIO or CISO who says, "I'd love to do this, but I don't have the money." Because generally, CFO is telling you that you can't fix something in cybersecurity. Nobody wants to take the responsibility to say, "Ah, you know, we're gonna do this next year. Until the next year, just keep doing what you're doing, and if there's a breach or a bad thing happens, don't worry about it. I got your back." So the conversation never is that I don't have the budget. The conversation usually is: I have a budget. I can only buy so much because that's all my appetite is, or that's all I have resources to go execute, so I can't do the whole thing at the same time.
I have phased ideas about what I want to do this year and next year. That's fine. I think what's different is, this is something we've talked about, you and I, in the last 12 to 18 months, while you've been doing your armchair macro thing you were just talking about, the CFOs are paying more attention. CFOs are saying, "Give me value for money. What are you spending this on? Why are we spending this? Why am I getting the right deal or not?" So I joke about this, called the revenge of the CFOs. The interest rates brought them back. I was like, our CFO, Dipak, you know. We're talking to him, and I was like, "Shit, it's cost me 6%.
Why would I do this?" So I think you are seeing more financial discipline creep in from a budgetary perspective, and some people are misinterpreting that to be macroeconomic issues with technology spending. I haven't seen macroeconomic issues around technology spending across the board... And nobody's saying, "I'm gonna slow down my cloud transformations," or, "I'm not gonna deploy AI because I don't have the budget." Because everybody believes it's existential.
I wanna go back to an earlier comment you made around, hey, there's this, you know, paradigm shift on a recognition from, you know, the technical C-suite. Recognizing that a best-of-breed strategy obviously has limitations, right? So, you know, I also wanna say, you single-handedly added the term platformization to the investor vernacular, right? So-
Remember who said it yesterday.
So on that point, you know, there have been elements of platformization that you've been working on for a number of years, just kind of given how expansive your portfolio is. But circa seven months ago, there was definitely more of a concerted shift and effort to towards this notion of platformization, right?
Mm.
So, you know, from a standpoint of what you saw in the market and economy, you know, what was it in the evolution of the customer behavior that prompted you to say, "Let's make a more deliberate move, and have a more institutionalized set of approaches on this notion of platformization?" And I think for the uninitiated, you can tell us what platformization is.
Okay. Sure, sure. Well, you know, in short, platformization is sort of deploying four different products and trying to get one to talk to the other, and then to talk to the other one. You can have one platform that the products talk to each other, so you can sort of input here and output there, the other end of the fourth product, as opposed to... I'm trying to find the right, you know, portfolio management analogy, but I can't come up with it, right? So if you had four different screens for Bloomberg, which are four different products, you'd understand the difference, right?
So, the question on what drove the impetus for platformization, you know, a boss that I used to have at Google, Eric, was asked in a podcast, you know, "What would he have changed historically if you could go back and do something different?" He said that, "I'd execute on my good ideas faster." So I wish we had done platformization faster. And maybe it was the right time for us to do it, because I think our four products that connect to one platform are more ready today than they were one year ago. But I think the other part of the realization was that this is something we have, and most others don't, right?
I can give you a SOC management platform with XSIAM and XDR and ITDR, and these are all three or four-letter acronyms we create in our industry to protect our jobs, so please don't get confused. But it's a, it's a platform that basically helps you manage your security operations center. Most security operations center have anywhere from five to 15 different tools, and we've brought six or seven of the big ones together, and we're gonna keep adding to it. That's so you don't have to go buy 15 and stitch them, and run from screen to screen. You can do it in one place. Connecting them together is not just about making the user interface work, it's also connecting the data in the back, so you don't have to deal with managing data.
To give you a sense, we ingest 76 terabytes a day of data just in our SOC. There's no way possible that you can have 17 tools analyze 76 terabytes of data. You have to have one thing that does it. This all goes to Google Cloud, goes to BigQuery, could go to Snowflake. That's the kind of scale I'm talking about with one SOC, right? We've sold about 130 of them, we've deployed 50. We're already past 7.6 petabytes a day. This is not a human problem anymore. I think what drove us to go faster on it is the realization that something we have, others don't. Kind of right place, right time.
CFOs are looking for a consolidated spend, where they get more value for money, so that allows us to drive that even faster.
You know, on paper, there's so much of a compelling value from exactly what you said, right? Immediate ROI, better outcomes. You know, a lower administrative and operational overhead for an industry that is, you know, notorious for having a deficit.
Just come on a sales call with me. That's what it did.
I'm available after the day.
Wonderful.
So, you know, when you think about, you know, the opportunities for your go-to-market organization to come up with these wealth of data points that are very compelling for your customers, what has changed culturally from a go-to-market perspective from your standpoint, to help you drive towards, you know, more and more, customers in your install base that are platformized, right? I think you've talked about, hey, there is a cohort of 5000 customers that are most eligible-
... to see the most amount of success from platformization, but you have 65,000 customers, right? So what is the eligibility criteria that, hey, these are the 5,000, and how should we think about that long tail of the remaining 60+thousand ?
60-plus, yeah. I think it's important to understand, we have 62,000 customers of all shapes and sizes. We didn't say these are the 5,000 that qualify. We said our top 5,000 customers... and we have three platforms, so eligible, so that'd be 15,000 platformization deals, right? If even we got to 25% penetration in that 15,000 opportunities, we'd hit $15 billion in ARR. That's the math we did, and you could be customer 6,000 and make your way up to 5,000, if you want to spend more money with us. So it's not like we chose 5,000, everybody else is ignored. We're just saying, if you do the math, we just need 5,000 great customers who will do at least one platformization or 0.6 platformization with us to get us to our number.
And, yeah, so that's the math.
So related to that, you know, and we've kind of meandered through this topic around, hey, platformization is allowing you to have very real conversations on dollars and cents-
Yeah
... with CFOs, and even from an architectural and technology consolidation standpoint. So clearly, good traction here. You know, I think we're getting a good sense of what the killer advantages are for moving down the platformization curve or moving up, rather. But these are inherently large deal tickets, right? So in-
It's a good thing.
It is a good thing. So I wanna get your sense from, hey, you're doing more than $2 million on average in terms of ARR per platformized customer, right? That's big, but, you know, even if we take a step back, that's not as big in the grand scheme of things when maybe we compare your business to a ServiceNow. I think their ACVs with their customers are mid- to high-single-digit millions, right? So how do you get to a point where you continue to drive monetization from already very satisfied customers, right? Are you a victim of your own success in your ability to take that $2 million of ARR and continue to march it higher?
Let's step back. What is a stratospheric question? Roughly 6%- 10% of a company's technology budget is cybersecurity, right? If you look at JP Morgan, I read somewhere they spend $18 billion or something in technology. I may be off by a few billion dollars. 10% is $2 billion, right? We have 4%- 5% share of the market. So $2 million is a good number, but our largest customer does $25 million in ARR per year, okay? So that's the art of the possible. It's a Fortune 50 company, right? That's the art of the possible. $2 million is better than $500,000, $500,000 is better than $200,000. So six years ago, when we started, we did $2 billion of revenue. Our largest deal was $5 million ARR per year.
Now it's 25 million ARR, right? So is there a path I can see for a few thousand customers to keep marching from two up? Yes, there is. But that requires consolidation, that requires them to focus on taking a platform. You asked me earlier, what is the big change that has happened is, a lot of these platformization deals or these re-architectural deals in cybersecurity are driven by systems integrators. People like Accenture, like Wipro, like IBM, like, you know, PricewaterhouseCoopers, et cetera. So also, what has also changed for us in the last few years is, they want to deal with less vendors.
They're hard enough understanding what they do for a living than to understand 50 security vendors and say, "I need to understand all your portfolios so I can design that architecture." Now, given our scale, which is still small, given our scale and our breadth of our portfolio, they'd rather talk to us so we can give them 3 platforms than go to 3 of us and talk about one platform each, or perhaps even 5 of us to stitch a platform together. So from that perspective also, I think it's called walk around.
I wanna, sort of moonwalk into the next area of conversation that ties to platformization, but it's around your next generation security franchise. You know, this was essentially a nonexistent business when you got here six years ago. You're now clocking in at a $4 billion franchise. So, you know, the first question, how do you see all of your efforts around platformization contributing to what, you know, are implicitly, you know, pretty high growth rates in a business of that size, as you pave a path towards $15 billion of NGS ARR over the course of the next six years?
Now, look, six years ago, when we started this journey, we were a hardware company that sold firewalls, and we had a bunch of software capabilities that we had, which... And, you know, my board says to me, "Hey, let's - why don't you figure out a way of turning this company into a SaaS business and make it an ARR company?" "That sounds great. How do I do that?" I think part of what we did in the last six years is we spent $4.5 billion, bought a bunch of companies, stitched them together into a platform, did a lot of innovation at home, and got to a point where majority of the $4 billion is net new business that we generated. So we took our go-to-market engine, applied that to these capabilities, for north of $4 billion.
At the same time, we also transformed our existing business towards this. We think, you know, in the next five years, we can get 80%-90% of our business in a SaaS mode, where it's all recurring revenue, and get to $15 billion. We see a path to it. What was your question again?
It's just, you know, that, that path towards, you know, naturally you're gonna have more-
Yeah
... and more customers with more and more pillars.
Yeah.
But even if you can tie it back to that, you know, aspirational, if every single one of your customers is paying you $25 million in ARR, that's an excellent outcome.
That's a lot better than two million. Yes.
There you go.
I understand that, but we don't—our expectation is not there. Our expectations are we need to be able to drive value for all of our customers. So, like, the way we've mapped it out is that we're at $4 billion. We have an aspiration to get to $15 billion by 2030. We know what each platform delivers in ARR. We did 91 last quarter. We did 65-70 the quarter before we started tracking it. If you stay in the 60-90 range for the next twenty-four quarters.
On platformization?
On platformization, we get to $15 billion, and in terms of opportunity, that's only 3,500 platformizations across 15,000 opportunities in our top 5,000 customers. That's the math, right? And the thing which we said last quarter, which was interesting for us, is as we traversed the last twelve months, our average ARR per platformization went up.
Mm-hmm.
Which one would expect. At scale, you know, if you do more, your average goes down. Actually, it was interesting. Actually, it went up. It may be purely because of the size of deals, and it may go back and be where it is, but it did go down, which gives me hope that our target of 3,500 will get us to 15 billion in ARR. Now it's a matter of keeping your head down and executing. The good news is, as I said, when we started this journey 12 months ago, it was as important to tell the market this is the way we're going, as it was to tell our own people. Now, every one of our salespeople wants to do platform deals.
Every one of our partners wants to come to us and say, "Let's go help you do a platformization." Yeah, so.
Biggest surprises, and maybe some of the key challenges that you've encountered in, like I said, scaling what was essentially a non-existent franchise six years ago, right? I mean, certainly the path, it seems linear, but in retrospect, there was probably a lot of twists and turns. So, you know, anything you look back on in terms of, you know, getting from zero to four, you know, getting from four to fifteen, how you're gonna circumnavigate some of those things that you've learned from the first point?
Yeah, look, some things we've been spending a lot of time on recently, and we will have to continue spending time on. When you're a hardware business, you sell a firewall, the customer deploys it. If they don't use it, they have it for six years. They paid for it, it's theirs. In the SaaS business, if you did sell it, they don't deploy it. When it comes time for renewal, you don't get a renewal because the customer's not using it. So there's been a huge focus. In fact, this year, we've tasked all of our sales engineers to also have a consumption target to make sure that everything you sold is actually getting consumed. The good news is, we see consumption.
Consumption is at a good place across our products because in a year, 18 months from now, a lot of consumption is gonna turn into renewals. Now, the good news is, you know, different platforms have different consumption metrics. In network security, there's less consumption metrics because you buy hardware firewalls, software firewalls. In SASE, we see reasonably high consumption there, and we have lots of opportunity to upsell our customers. In cloud, we only sold by credits, so we see consumption, and XSIAM, we actually see consumption rising. It's actually beating what we sold. You know, XSIAM is an early franchise, so that's 18 months in. We've sold, as I said, 130 of them. We've deployed 50.
Our top 10, 20 customers are $1 million in ARR, but we've already seen 3 or 4 customers come back and say, "I'd like to buy more," because we charged them for data ingestion. So it's good. So that's kind of the big shift, is we have to become a SaaS consumption business. I think what gets lost in this is that in the last 6 years, we've converted more than 50% of our business into ARR, right? It's close to 50% more. And we've done it quietly, under the radar. We've transformed the hardware business into a software business, and I think that journey continues till 2030.
Now, NGS ARR, as I think most people are familiar, it's a multidimensional franchise, right? So you've got SASE, you've got Cortex, you've got Cloud. At the highest level, when you think about the arc of the next six years, you know, among those pillars, where are you the most bullish in terms of market share capture, monetization potential?
Look, I think for us-
I know you love all the pillars equally.
That's right.
Just wanna say that.
You'll know that when you have more than one child, you have more than one. So they're all good. But I am excited about XSIAM because I've discovered in cybersecurity, you can replace an existing TAM much faster than you can create one. And if you go back historically, look, there used to be Symantec, McAfee, it got replaced by the EDR wave. A lot of new XDR, EDR companies came by. Customers had a budget, they had a product. Yours is far superior. You say, "I'm gonna replace it." It's much harder to go through. You need cloud security. What does that do? Like, we need AI security. What does that do? Let me take a look at it. How does it work? I don't have a budget.
So it's a lot harder building a new market than it is to take a market and replace it. Historically, you've replaced the endpoint security market with EDR, XDR. You know, we've replaced the old firewall market with next generation firewalls, and I think you're seeing that in SOC. That's why we did the IBM deal, which is announced just closed this morning. It's great. It's a $20 billion TAM, and I think we have the most advanced technology from a pure play cybersecurity vendor out in the market. I think we're about 18-24 months ahead of anybody else out there. Now, I always believe that if there's economic profit to be made, everybody's gonna chase you down. This is not forever, so that's why we're, you know, putting on turbocharge.
What it also does, for the first time in security, it's an outcome-based technology. I go to people and say, "I can take your time to fix your security issues from four days to un..." We are at one minute. Our first customers are at nine minutes. They can solve a security issue in nine minutes. Industry average is four to seven days. When I go make that pitch, and I can convince customers, I'm way ahead of everybody else. But when I get an outcome-based thing going, I can slowly work my way into getting to absorb more and more capability in the platform, as long as I keep building capability in the platform.
So I think five years from now, hopefully, if you're sitting here talking about this, you'll say, "Oh my God, you got a few thousand XSIAM customers, and they've got everything in a platform because you worked your way from there all the way back." Because the other things become less relevant because they're more interested in the outcome. So I'm really excited about that. There's a lot of focus across our company in terms of trying to make that real and execute on it. If you said to me eighteen months ago, will you get close to, you know, seven million in TCV in eighteen months? That's never been done in cybersecurity before.
So you talked about this, so we'll stick to Cortex just, because that seems to have so much more promise. You alluded to the fact that there has been major market shakeups here. I mean, you actually were part of shaking up the market, right?
Mm.
With the IBM QRadar. So I wanted to talk about, you know, the whole QRadar transaction. As you know, it seems like a pretty big strategic coup for you. You know, the calculus there, I think it's apparent why you did it, but I'd love to kind of hear it in your perspective. Why then? Because there are other assets in the space. And then just relatedly, from an incremental product and go-to-market strategy perspective, how are you positioning yourself to be in the pole position for when SOC architectures and entire SOCs are modernized? Because I think we are on the cusp of a major technological upgrade of most SOCs over the course of the next five years, seven years.
Yeah. No, look, I think that's what I said. It's a $20 billion market, which will get replaced. You will see it end up like the the endpoint market was, where the existing players are gonna have to give up share to newer players in the market. Now the, you know, not understanding cybersecurity as well, I'm a huge student of M&A. And a lot of M&A transactions fail because they become extremely complicated to execute and implement, and you end up having to maintain existing customer base, existing code, your new code, new customer base, and it's very complicated. And there are companies out there which have four solutions in the same space because they bought four different companies, they were never able to integrate.
Our deal with IBM is unique, where when Arvind and I first talked about it about two years ago, and we showed him what we're working on, he wasn't sure. But as we got to a point where he saw the benefits of XSIAM, he's like: I see it. I see this is what's gonna disrupt what we have. And we got ahead of it. And he's focusing more on DevOps and a lot of the AI stuff, and we said: Look, let us be your cybersecurity partner. Now, the deal is unique because we didn't buy any assets except for IP and their customer base. So we have our own product, our own code. We don't touch their code.
In fact, as of this morning, all the QRoC customers who secured our SaaS version are our customers, but IBM's running it for us. We actually have an outsourcing contract to run that business for us, which means for the customer, nothing changed. They're still talking to the same people at IBM, but IBM's running it for us. Anytime the customer wants to renew the deal, they have to come to us. And we say, "Don't renew QRadar because it's ours. We're gonna move you to XSIAM." So literally, we're going customer by customer and transitioning them to Palo Alto, but we're not touching any code or any of their people in the process, which is a very unique arrangement because it helps us avoid a lot of the pitfalls you will run into in an M&A transaction, right? So every new customer is onboarded onto my system.
There's no IT integration, there's no finance issues, no Salesforce issues. It's just, I'm running my business, I'm absorbing them into my business, and they have an incentive to migrate every customer to me, both QRadar SaaS as well as the on-prem customers, so that's kind of, like, interesting for us.
We were talking about this offline, but I think it's a really helpful line of conversation just as it relates to incentives and incentive structures around IBM and Palo Alto, so Palo Alto badged account executives versus IBM badged, you know, services and systems integrators. How is that economic and incentive relationship working? I mean, what's the alignment looking like? You said the alignment is there, but can you put some sort of-
Look, our people continue to get paid for what they get booked to Palo Alto. And every time there's an XSIAM deal to be had, our sales rep will go. They'll get paid on booking that deal with us. IBM has tremendous amounts of incentive to migrate those customers to us, both economically, because we're paying them, and also, for them, they want their customers off of QRadar because that's not something they're investing in, so they want their customers to get seamlessly migrated to Palo Alto. So they're paying their salespeople, and jointly, we're funding the migration for the customer.
Say, "Listen, your migration from QRadar to XSIAM is funded by Palo Alto and IBM together." And so the customer gets a free migration, the sales rep from IBM gets paid, and they can decide at any point in time to bring in their friend from Palo Alto, who's also gonna get paid, so they have to work together. I've never seen such good alignment with a partner in a while.
Now, I'd be remiss if I didn't ask you about the NetSec SASE business.
Sure.
You've had this be your dominant bread-and-butter franchise, but, you know, it's had a renaissance over the course of the last four years, right? So, you know, as you think about the scope of the SASE footprint and the market opportunity against what have been very much evolving market demands, what does the next five years of opportunity look like within the SASE franchise? And how are you focusing and prioritizing innovation in the SASE franchise, just from, you know, product development standpoint? And look, I think the genesis of the question is, there's gonna be hardware exposure in your business for a long time to come. And I think there is maybe a perception or a misperception that other parts of the business with much sexier growth trajectories are gonna get a lot more love from an R&D allocation standpoint.
What is the product strategy vision around SASE and how you continue to be dominant in the SASE arena, which has historically been where you've been very dominant?
Yeah, look, we've been. The customer's choice is the word, not dominant. It's not a good word. Customers have chosen our firewalls in the hardware space. And by the way, the hardware is not bad. I heard Michael Dell is here. He's got good hardware business, and NVIDIA has a hardware business. These are not bad businesses if I ask. So, you know, hardware is a good business, it's gonna be around for a while, because hardware is still the lowest cost per throughput. You want to pump a lot of bits and bytes, the cheapest thing is to put hardware in place. Software is more expensive to run because it requires... Eventually, it has to run on somebody else's hardware, so it's still the lowest throughput. So I think the hardware business is gonna be around.
It's just that the proportion of our software business continues to increase. It's just that. Now, the big shift that's happening is, as people move to the cloud, they're moving all their applications from the data centers to the cloud. The way we access those applications is changing as employees or users, and that access mechanism is what we call SASE. Five years ago, there was one major player in the space because they got there early. Today, there's seven of us trying to chase that market down. We're the second largest SASE player in the market, I think, by now. We were not a player four years ago.
Right.
And that's because we come from the roots of a hardware business, where we were able to pivot and bring all the capabilities on the software side. And the big difference in SASE that happens is, in hardware, we sold the hardware to the customer. In SASE, we run the service. So when you log in from your laptop, you're running on Palo Alto's bits and bytes to access your trading app or your portfolio optimization app in the back. That's a big change in the industry, and it takes time to sink in, right? So we have north of 15-20 million users who are actually running on our pipes.
Mm-hmm.
Large component companies like IBM just bought that product, so we're gonna power IBM's 250,000 employees accessing all their applications using our SASE product. Now, if that's the way your employees access your applications, the question becomes an innovation. What's gonna change in that mechanism? What are they gonna be doing? What's gonna be different? One, architecturally, we're different because we decided not to build our own data centers. There are two ways to do it. You can build your own data center in 150 countries. We're not a data center company.
Mm-hmm.
I cannot run a hundred and fifty data centers at 99.9% availability.
Mm-hmm.
That's a different set of businesses that do that.
Right.
So we decided to ride on Google Cloud and AWS, and Oracle pipes. So they run that 99.9% availability business. We run on them, and we switch between them, depending on which customer wants what and whether we're seeing availability one versus the other. So the one big difference, structurally. The second big difference is we think, as, you know, technology evolves, a lot of our employees and your employees are gonna be using AI. So it becomes even more important to see how do you govern that usage. Now that we're on these 15-20 laptops- 15-20 million laptops, and that's growing the SASE business, lots and lots of innovation is gonna depend on how do you look at what people do? How do you do data loss prevention?
If I'm using an AI app, and I'm uploading my company crown jewels in there, I need to be able to block that. How do you block that if you're not in the path of how an employee accesses that application? That's a lot of where the innovation is gonna be. We made a bet about a year ago on the enterprise browser. We said that having VPN agents on your laptops is not the right way in the long term, because we need to be able to see what you're typing so we can. Not we, your employers need to see to make sure you're not shipping the wrong data up there. I think enterprise browser is gonna be a renaissance in the SASE space.
Mm-hmm. We're the only player with an integrated enterprise browser now after our Talon acquisition. There's not many options in the market. We think AI governance is gonna become important in SASE. These are both products we've launched already in the last few months or so.
Two hundred million in ARR?
Sorry, what?
AI products are about $200 million in ARR in aggregate.
Yeah, it's a bit of XSIAM plus AI access in there. Yeah.
Okay. Just to round out the-
But I think that the significance of that is historically, back to the strategic point. Historically, our customers were always in the midst of replacing some security technology that had become obsolete.
Mm-hmm.
If you look at every CISO, they've got some projects, "Oh, I'm ripping this out because it's, that company is no longer there, or they haven't kept up with innovation." Our aspiration, in addition to platformization, is we wanna make sure that you never have to rip out our product. We don't want to be that endpoint product that replaced with XDR. We don't want to be that SOC that you replace in the future. So part of the paranoia you see in us is that we're constantly looking at where technology is evolving. So instead of us getting replaced by a start-up from Israel, perhaps giving you an AI firewall, we launched a fully functional AI firewall two weeks ago, right? So you don't have to replace Palo Alto.
You can take our virtual firewalls, which are embedded in Google Cloud, AWS, Azure, Oracle, IBM, and deploy an AI firewall right there. So part of the paranoia we have is that we need to stay ahead of this product development curve, not just in SASE, but in every category we play in. So that way, we're the ones that are replacing other people, we're not the ones getting replaced.
You know, I wouldn't be a card-carrying software analyst if I didn't ask you about generative AI, so I appreciate-
Oh
... you saying that. It sounds like a lot of infusion of those capabilities across the portfolio, but more specifically, around the governance of AI is kind of the opportunity you're tackling.
Yeah.
So I appreciate you kind of front-running that. Just to round out the NGS ARR conversation, you know, Prisma Cloud, it's been an arms race here. How are you ensuring that there's franchise growth, durability here, outside of, you know, your fortunes being tethered to general hyperscaler adoption trends? You know, historically, I know there's been a lag impact, right? But how are you kind of thinking about the durability of that franchise? And, you know, just from a market structure perspective, very different than it was two years ago, five years ago.
Mm-hmm.
Pricing dynamics have also changed. You know, I think maybe you'd argue there's a little bit of an oligopolistic behavior in the market structure, but you can-
Surely.
Uh-
It's like we're in kindergarten. Kindergarten kids don't understand oligopolies.
I love it. Okay.
So.
Okay. What's the calling card here for you to take disproportionate share in Prisma with Prisma Cloud?
Look, cloud security has gone through its own evolution. As I said, it's hard to make a market and, and tell consumers this is the right way. It's gonna evolve, and you have to watch it carefully. I'd say three, four years ago, we were here, we'd be talking about hygiene in cloud security.
Mm-hmm.
It's all about misconfiguration. Oh, my God, I set up my AWS wrong, you can have a breach, or I wrote the code wrong, you can have a breach. You know, as people have moved their applications to the public cloud, what's happened is, you have live applications running in public cloud. It's no longer about what mistake could I have made that's gonna cause a breach. It's like, Oh, my God, there's somebody going after my stuff. So what's happening in cloud is the focus is shifting from, I'll call it CNAPP, or which is basically a five-letter word for, all the configuration mistakes you can make in setting up your public cloud, to runtime security. It's like, don't worry about how I configured it, worry about if somebody's actually attacking me.
Mm.
Right? Because when I tell you, you misconfigured this, you could be, it's like, you know, getting a sort of a nutritional lecture from your partner. It's like, "You didn't eat right. You didn't do this right." Holy shit, if I keep- Yeah, I know if I fix all of that stuff, I'll be amazing.
A six-pack.
Yeah, exactly.
Yeah.
But think about what's wrong with me right now. Let's go to emergency. So things are gonna shift from. That's a good analogy this time in the morning, but-
Mm-hmm
... we'll go from CNAPP to runtime security.
Right.
That's what's shifting in cloud, so you're seeing the focus back where CDR agents, like we have with XDR, some of the companies which do real-time cloud security, becoming more and more relevant, and pricing is collapsing on the CNAPP side because it's sort of table stakes.
Mm-hmm.
Right? And we've seen that in the market... even now, we have a $700 million ARR franchise, which still makes us the largest independent cloud security player. As an independent company, you guys will be chasing it with even a better valuation than perhaps I heard in the market for somebody else in this space, which is CNAPP only. So I think it's still an evolving market. We have seen many companies come and go in this space in the last five years because they haven't been able to get traction. And again, it's non-trivial to build a 14-module platform that does a lot of these things and connects the dots. So this is not going away anytime soon. I just think you guys get a little impatient sometimes in these spaces.
Some of us. You know, the growth objective, crystal clear. But, you know, I think the unenviable task is you've got a, again, very wide portfolio around innovation priorities. You know, how are you thinking about, you know, R&D prioritization, right? But also related to that, kind of running and driving more and more efficiency as a business, right? You're a big company now. You've grown up, right? So there's some of these priorities around, hey, some of us wanna see margin expansion and free cash flow growth and all those finicky things, right? So how are you thinking about, you know, the overall aggregate investment envelope and operating expense prioritization on whole?
You know, like, I don't think we're too big. We're an $8 billion revenue business last year. I think we're in the sweet spot, honestly, of size of companies, 15,000 employees. If you're too small, you're doing a $1 billion in revenue, and you have 2,000 employees, you actually can't do any efficiency. You can't go invest $10 million to see, can I get coding faster and save myself 1,000 engineers? Or you can't deploy it against customer support and say: Can I reduce my customer support headcount by 30%? Can I invest $20 million there? Because we're a $1 billion revenue business, at $8 billion, we can.
So we have a lot of initiatives right now to see how does AI help us from a productivity perspective, and we've discovered it requires us to rethink our processes and redo a bunch of stuff. A very simple example, we have, like, you know, we had internal employee tickets of 250,000 employee tickets between 15,000 employees. We deployed generative AI. We had a bunch of work going on with automation. We've been able to take 75% of those heads out. We took out 150 people in internal ticketing, which was an internal project. We did that. We deployed generative AI. So there are ways to go drive efficiency at this size.
I think it's hard to do it if you have 30,000 employees because it's more complex, and it's uneconomical to do it if you have 2000 employees because you should be going out and chasing growth. So we like the size we're at. We think we can balance the investment needs and keep our operating margins consistent with wherever they are, which I think for our scale and in our industry, they're in a better spot than most other people, and I think there's room for them to go better.
Last two questions for you-
Yeah.
-to wrap what's been a fantastic discussion. M&A, you've got your fingers very much on the pulse on the market. You've been very active in the space. Observations on, you know, dislocations, or lack thereof in the private markets. You know, where are we in the cycle of rationalization and innovation and, you know, intrigue? And then my final question for you is, you know, the last six years were so much fun for you at Palo Alto. You signed up for another five years-
Right.
-to run the company. So I wanted to ask you for your policy agenda, in the way we end our conversation for the next six years.
All right, quickly, on the M&A front, I think, look, we had technical debt to pay. We were perhaps the most active cybersecurity M&A buyer in the market.
Right.
About 19 odd companies in the last five and a half, six years.
Mm-hmm.
But as now we're in front of the big swim lanes of cybersecurity, we always have to make a decision: Can we build this ourselves, or is the innovation so great that we have to go acquire? So we did the enterprise browser. The integration was not complex. We got it done in six months, but some things have become overlapping, become complex, which is something I don't like. We'd have to shut down a bunch of stuff, which is too complicated to do from an engineering perspective. That's how you end up with technical debt. So I think the M&A environment is cooling off, to be honest. I think there's still a dislocation in price versus value-
Mm-hmm.
and the expectations of startups, and I think that will fix itself.
Right.
If there are no buyers, eventually, you set your expectations right. There are companies that were hot five years ago, they're still around. They haven't crossed 20 million in ARR or 30 million ARR, and no one's gonna pay for them.
Mm.
So I think the private market is cooling off and will continue to cool off. I think the consolidation market will be the next market in play. You will find that companies in the $1 billion-$5 billion, $7 billion, $10 billion range are gonna be looked at by a lot of players to see: Can I get heft to catch up with Palo Alto or not? And that's gonna be an interesting play, and that's where I think a lot of mistakes will be made.
Mm-hmm.
But it'll be interesting to see.
Right.
And the policy... What is the policy?
Next five years as CEO, policy agenda.
I think, the most dangerous thing is to believe that you can rest on your laurels for the last five years and say, "I've got this figured out," because that's when all the bad things happen. So the idea is to keep staying paranoid, keep seeing where the market is coming at you. Doesn't mean that there won't be a great company that'll be born somewhere, that we'll have to take a look at hard to see do we innovate or do we buy? We got to keep that going. We got to keep our heads down and execute. There is a lot of, you know, enterprise, a lot about perspiration. We still got to go get those 3,500 platformizations done, but a lot of the plumbing, fixing, getting our shit ready has been done in the last five years.
So hopefully, we have a smoother ride on the execution side. But as you said to me earlier, the bar is higher, so you got to execute more flawlessly, more times than we have had to in the past. So there is a... It's constant growing up. That's why I said kindergarten versus, you know, reaching adolescence, but, lots of good stuff to it.
Fantastic. Thank you so much for such a candid discussion.
Thank you for having me.
I really appreciate it.